diff --git a/internal/api/grpc/management/auth_checks.go b/internal/api/grpc/management/auth_checks.go index 2b2ad25005b..b1160aa4d35 100644 --- a/internal/api/grpc/management/auth_checks.go +++ b/internal/api/grpc/management/auth_checks.go @@ -4,22 +4,27 @@ import ( "context" "github.com/zitadel/zitadel/internal/api/authz" + "github.com/zitadel/zitadel/internal/command" "github.com/zitadel/zitadel/internal/zerrors" ) -func checkExplicitProjectPermission(ctx context.Context, grantID, projectID string) error { +func checkExplicitProjectPermission(ctx context.Context) command.UserGrantPermissionCheck { permissions := authz.GetRequestPermissionsFromCtx(ctx) if authz.HasGlobalPermission(permissions) { return nil } ids := authz.GetAllPermissionCtxIDs(permissions) - if grantID != "" && listContainsID(ids, grantID) { - return nil + return func(projectID, grantID string) command.PermissionCheck { + return func(resourceOwner, aggregateID string) error { + if grantID != "" && listContainsID(ids, grantID) { + return nil + } + if listContainsID(ids, projectID) { + return nil + } + return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject") + } } - if listContainsID(ids, projectID) { - return nil - } - return zerrors.ThrowPermissionDenied(nil, "EVENT-Shu7e", "Errors.UserGrant.NoPermissionForProject") } func listContainsID(ids []string, id string) bool { diff --git a/internal/api/grpc/management/user_grant.go b/internal/api/grpc/management/user_grant.go index 3a894c8c29a..f1c12a03b94 100644 --- a/internal/api/grpc/management/user_grant.go +++ b/internal/api/grpc/management/user_grant.go @@ -45,10 +45,7 @@ func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantR func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) { grant := AddUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID) - if err := checkExplicitProjectPermission(ctx, grant.ProjectGrantID, grant.ProjectID); err != nil { - return nil, err - } - grant, err := s.command.AddUserGrant(ctx, grant, nil) + grant, err := s.command.AddUserGrant(ctx, grant, checkExplicitProjectPermission(ctx)) if err != nil { return nil, err } @@ -63,7 +60,7 @@ func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequ } func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) { - grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, nil) + grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req, authz.GetCtxData(ctx).OrgID), false, false, checkExplicitProjectPermission(ctx)) if err != nil { return nil, err } diff --git a/internal/command/user_grant.go b/internal/command/user_grant.go index cd659d0bc1e..f6e918d267f 100644 --- a/internal/command/user_grant.go +++ b/internal/command/user_grant.go @@ -340,7 +340,7 @@ func (c *Commands) checkUserGrantPreCondition(ctx context.Context, usergrant *do if check != nil { return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "") } - return checkExplicitProjectPermission(ctx, usergrant.ProjectGrantID, usergrant.ProjectID) + return nil } // this code needs to be rewritten anyways as soon as we improved the fields handling @@ -488,7 +488,7 @@ func (c *Commands) checkUserGrantPreConditionOld(ctx context.Context, usergrant if check != nil { return check(usergrant.ProjectID, usergrant.ProjectGrantID)(usergrant.ResourceOwner, "") } - return checkExplicitProjectPermission(ctx, usergrant.ProjectGrantID, usergrant.ProjectID) + return nil } func (c *Commands) searchProjectOwnerAndGrantID(ctx context.Context, projectID string, grantedOrgID string) (projectOwner string, grantID string, err error) { diff --git a/internal/command/user_grant_test.go b/internal/command/user_grant_test.go index 14be9f324e1..6299b04ed66 100644 --- a/internal/command/user_grant_test.go +++ b/internal/command/user_grant_test.go @@ -1072,9 +1072,10 @@ func TestCommandSide_ChangeUserGrant(t *testing.T) { }, UserID: "user1", }, + permissionCheck: failingUserGrantPermissionCheck, }, res: res{ - err: zerrors.IsPermissionDenied, + err: isMockedPermissionCheckErr, }, }, {